Slowly, oh so slowly, Microsoft is trying to undo the damage its Windows Genuine Advantage anti-piracy program has inflicted. But the company still has a long ways to go.
Case in point: The two WGA components that are loaded into Windows XP computers via the Windows Update servers are still presented to Windows users using a process that can fairly be described as deceptive and misleading.
Last month, my ZDNet colleague David Berlind analyzed the WGA installation process and its accompanying disclosure and concluded that “one of the WGA components that Microsoft is loading onto end users' systems through its Windows Update service is, contrary to what Microsoft says, installed without the end user's consent.” As part of his investigation, David documented the installation process in this image gallery.
Nearly five weeks later, despite improvements in the license and privacy agreements and some changes to the WGA code, Microsoft’s customers are still not getting an accurate and full disclosure of what’s being downloaded and installed on their computer. I’ve prepared an updated image gallery that shows the WGA installation process as it takes place today.
If anything, the problem has gotten worse. In the past few weeks, at least one well-respected and widely read Windows expert has recommended that Windows users disable Automatic Updates and install security patches using manual procedures instead. In his Windows Secrets Newsletter of June 29, Brian Livingston argued that WGA qualifies as spyware and urged his 140,000 readers to “dump Windows Update.” In today’s newsletter, he repeated the admonition, recommending that "all Windows users, other than novices … turn off Automatic Updates.” That’s bad advice, in my opinion, but it’s understandable, given the complete lack of transparency that Microsoft has displayed on this issue.
So what’s going on with WGA today? Here’s the condensed version:
Let’s say you visit Microsoft’s Windows Update using a PC on which Windows XP with Service Pack 2 has been freshly installed. You choose the Custom option, because you want to review any available updates before installing them. But Windows Update throws up a roadblock:
You “need to upgrade some of its components.” Sounds fairly innocuous, doesn’t it? The accompanying explanation, which includes six bullet points and more than 100 words, doesn’t mention Windows Genuine Advantage. It doesn’t explain that the Validation Tool (the component you’re about to download) is an anti-piracy utility that allows Microsoft to identify computers that contain “non-genuine” copies of Windows XP. Even if you click the tiny Details button, the explanation falls far short of describing what the tool really does.
After you install the WGA Validation Tool, you’re allowed in to the Windows Update website, where a second WGA component is included among the list of High Priority updates. The Windows Genuine Advantage Notification tool is supposed to be an opt-in program. The current version of the WGA FAQ page says: “While the program is presently opt-in, as it expands later in the year, it may become a requirement for the [Automatic Updates] service.” But it’s delivered as a High Priority update along with critical security patches. If you use Microsoft’s Automatic Updates program, you’ll get it with no notice.
So how do you opt out? If you visit Windows Update and use the Custom option, you can clear one check box to prevent WGA Notification from being installed. You can then click another check box to specify that you don’t want to see this update again:
That should be that. But the next time you visit Windows Update, you’re confronted with an ominous dialog box that contains this warning:
Your computer might be at risk? That’s nonsense. The WGA Notification tool doesn’t provide any security benefit, and refusing to install it involves no – zero, null, nada – risk to you or your computer.
For the record, I don’t think that there’s anything dangerous or onerous about the current versions of the WGA Validation and Notification tools. If their true nature and purpose were clearly explained, I think most people would be perfectly willing to install them.
My question is simple: Why can’t Microsoft describe both of these tools in simple, direct language? As a condition of using Windows Update, they want you to install an ActiveX control that checks the product key you used to activate Windows XP – the same one you already sent them when you first installed the operating system – so they can verify that your copy of Windows is properly licensed. That’s not so hard to understand, is it? So why use these misleading and deceptive descriptions? As a business decision, that’s just plain stupid.